Understanding CJIS Compliance Physical Protection

Part 9

In the previous blog, we discussed the importance of protecting the physical as well as digital media. This time we will deep-dive into the importance of physical protection and various steps the agencies should take in order to secure the criminal justice information as per CJIS Compliance Physical Protection standards. Agencies should follow a physical protection policy and associated procedures to ensure that all the Criminal Justice Information (CJI) media, information system hardware and software are physically protected using access control measures.

Physically Secure Location

The process of media protection starts with selecting a physically secure location. A physically secure location can be any including a facility, a room, a police vehicle, an area or a group of rooms within a given facility. These locations must have both personal and physical security controls that are sufficient enough to protect CJI as well as the associated information systems. It is also to be noted that the physically secure location is subject to FBI CJIS Security addendum; criminal justice agency management control; SIB control; or a combination of these. The following sections would describe the physical controls that need to be in place in order to consider a facility to be a secure location.

Security Perimeter

The perimeter of a physically secure location must be displayed prominently separating it from the non-secure areas by physical controls. The security perimeters need to be clearly defined, secured and controlled in a manner deemed acceptable by the State Identification Bureau (SIB) or CJIS Systems Agency (CSA).

Physical Access Authorizations

The agency should prepare and maintain a list of personnel currently having authorized access to the location. The agency also would issue credentials to authorized people.

Physical Access Control

Other than the areas designated as publicly accessible by all, the agency should have complete control over all the physical access points. It should also ascertain individual access authorization before allowing access.

Access Control for Transmission Medium

Another important function of an agency is to control the physical access to information system transmission and distribution lines within the secure location.

Access Control for Display Medium

To ensure better physical protection to CJI, the agencies must control physical access to IT devices that are used to display criminal justice information. The placement of such information systems is also of importance. They need to be placed in such a way that unauthorized personnel can’t access or view CJI.

Monitoring Physical Access

Agencies need to monitor the physical access in order to detect as well as respond to any physical security incidents.

Visitor Control

Barring the areas designated as publicly accessible by all, the agency should control physical access to the critical information by authenticating the visitors before allowing escorted access to the physically secure location. Agency shall also ensure the physical protection by monitoring visitor activities and escorting them at all times

Delivery and Removal

To ensure physical protection, the agency shall control and authorize information-system related items that are entering into and moving out of the secure location

Controlled Area

In an event where the agency can’t meet all the requirements needed to set up a physically secure location but has an operational need to store and access CJI, the agency shall then designate a controlled area, a room, a storage container or an area to use it as a day-to-day CJI storage or access point. At a minimum the agency shall meet the below requirements:

Keep the room, area or storage container locked when unattended.

Limit the access to the controlled area only to personnel with authorized access rights.

Follow all the encryption requirements (which will be discussed in the next blog) for electronic storage of CJI.

Place information system documents and devices containing CJI in such a way that they are inaccessible to unauthorized individuals.

In the next blog, we will understand System and Communications Protection and Information Integrity.

DoubleHorn is one of the leading Cloud Solutions Providers founded in January 2005 and based in Austin, Texas. We offer secured Cloud solutions that meet all major compliance requirements like HIPAA, CJIS, FedRAMP, FIPS, ITAR, FERPA etc. Our services, as a Cloud Services Broker, include helping in selecting the right Cloud solution, implementing, maintaining and also offering a single source for billing and support. Contact us for a complimentary initial assessment at solutions@doublehorn.com or (855) 618-6423.